The Year of the Social Engineer
2013 was an epic year. There were a lot of major events and a lot of serious breaches over the last 12 months. For most of us, the use of social engineering in a large portion of these breaches was most notable. It was estimated that over 65% of the attacks used some form of social engineering such as phishing, phone, or in person. Let’s take a look at just two noteworthy attacks and talk a little about what to expect in 2014.
The Syrian Electronic Army (SEA)
There certainly has been a lot of buzz about the Syrian Electronic Army (SEA). Many attacks have been attributed to them over the last year such as Harvard, LinkedIn, Aljazeera, NY Times, etc. The Electronic Frontier Foundation (EFF) has put together a report discussing the methods that the SEA have used in many attacks on the digital battlefield and social engineering is one of the major weapons in their arsenal.
Malicious Links: Often used by social engineers to trick a target into visiting a page that has malware loaded on it, the SEA hijacks a target’s Facebook page. They then put a link on the page that looks like it is going to one site, but instead, forces the victim to another site that loads exploits onto their computer.
Malware: The SEA uses a remote access trojan (RAT) or other types of malicious software to capture keystrokes, screenshots, and logs everything that the victim does on their system.
Phone and Live SE: This particular type of attack is very malicious and sneaky. SEA has been known to use a combination of emails as well as phone calls. Sending a message to their target via email then calling to support the email to get their target to click the message or open the attachments in the email.
Regardless of how they accomplish their goals, we see an increase in their use of phishing emails as the basis for their attacks. This just highlights something we have been saying since our inception; we need to create a critical thinking environment for ourselves, employees, friends, and families. Phishing cannot be stopped with technical tools. It can really only be stopped by having good policies for what to do when we receive these types of emails, when we ignore clicking on links, and when we suspect foul play.
Bitcoins certainly have been a hot topic in 2013 and was of interest to most of us this past year. This strange currency popped up out of nowhere and then became as valuable as gold. 4,100 bitcoins were stolen from one website that was worth about $1.2 million USD. There was only 2 attacks that were launched to create this heist. How did the attackers do this? Social engineering!
First, they set up a proxy near the location of the company so if they were traced, it would not be as suspicious. They then went to the website and hit the “Password reset” link. They were able to successfully answer the questions asked, thanks to open-source intelligence (OSINT), and reset the password. They were then able to log in and calmly ‘walk off’ with over $1 million USD.
Simplistic, huh? Unfortunately, most social engineering attacks are simplistic. Why? They rely on human factors like trust, rapport, and influence. Time and again we speak about how the very same principles that create friendships, bonds, feelings of love and respect can be used to create those same emotions, but for nefarious purposes.
Was it just a 2013 problem?
As technology progresses, we also see an increase in the ability for the malicious hacker to increase their attack surface. It is so easy now to spoof your phone number using free or very inexpensive services. It is only a matter of a few steps to set up email accounts, many for free, that can be untraced and used for these purposes. Cloning badges and employee clothing is also inexpensive and easy for most people. Combined with the fact that many people are willing to give these things a try, it is a breeding ground for social engineers and scammers.
I never claim to be a prophet and I hate being a bearer of bad news, but based upon what we discussed above, I think we will see a definite increase in social engineering attacks in 2014. The use of phishing will increase as malware becomes more sophisticated. Another trend we will see as the economies around the globe suffer will be an increase in crime.
Even though analysts are claiming that in 2014 the global economy will even out and increase, there are many people who have lost a lot due to economic hardships over the past few years. Just as in the US, other European countries will see their fair share of individuals losing their homes, jobs, and life savings. When these things occur, we can also expect to see an increase in cyber crimes.
What Can You Do?
I already mentioned one area above – critical thinking, but there are a few other things you can personally do to protect yourself:
1. Education/Awareness: Reading materials like this newsletter, the blogs on Social-Engineer.Org and Social-Engineer.Com as well as other sites, will keep you informed to the types of attacks being used.
2. Preparation: Prepare yourself in what to do when you get a phishing email. What should you do if you click on a link? What should you do if you suspect a malicious email or phone call you receive? Preparing your mind ahead of time will help you react in a safe and smart manner.
3. Reporting:If you suspect you are a victim of phishing, phone, or in person social engineering, tell your manager. If you have an Information Security Department, report it to them immediately or notify your IT department. If it occurs at home on a personal level, monitor your bank accounts and make sure your virus scanners are up to date. Although there are many bypasses for AV, you want to try your hardest to not be the “low-hanging fruit” in these scenarios.
Keep in mind that there is no way to be 100% secure from social engineering attacks, but these simple tips can help reduce your risk level. 2014 is going to be an exciting year; a year with massive enhancements to technology and the market.Just make sure you stay safe, think critical, and most of all, be aware.
‘Till next month!
Written by Christopher Hadnagy